Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

mstats command

Shakira1
Explorer
‎10-04-2023 12:07 AM

Hi,

I have this command: 

| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5

and I would like to count the host and trigger when I have less then 3 hosts. 

I tired something like that:

```|stats dc(host) as c_host | where c_host > 3,``` but its not working as usual .

 

any idea? thanks!  

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Shakira1
Explorer
‎10-04-2023 12:43 AM

this is my search: 

| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5

which is working fine. 

I just want to create a new alert that triggered when the host count is less then 3. 

how can I do that?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2023 12:46 AM

If that is your search, you should be getting an error!

Is the search relevant to the count you want i.e. should the count be based on the results of a working search, or from the index, or from part of the search?

0 Karma
Reply

Shakira1
Explorer
‎10-04-2023 01:08 AM

not sure why you say that. but its working.

just to be clear = value1 = to some internal parameter.

index = my index.

and base on that Im getting information about  the hosts . 

now I just want to count how many hosts reporting, when its less then 3 I want to trigger about it. 

hope its clear now. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2023 01:19 AM

| mstats avg("value1) prestats=true WHERE "index"="my_index" span=10s BY host

has a missing double quote so will give you an error

Also, assuming that this is corrected, you will get a field called something like "avg(value1)"

This means that you no longer have a field called "value1" so the timechart command has no field to do an average on.

This is why the search you provided does not work.

Assuming it is the timechart table that you want to count hosts for, you could untable the chart table

| untable _time host average
| stats dc(host) as c_host 
| where c_host < 3

 

0 Karma
Reply

Shakira1
Explorer
‎10-04-2023 02:12 AM

now I see 

first I missed double quote, so you are correct - so my search is: 
| mstats avg("value1") prestats=true WHERE "index"="my_index" span=10s BY host
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5
 
now, if I want to search by what you worth:
| mstats avg("value1") prestats=true WHERE "index"="my_index" span=10s BY host
| untable _time host average | stats dc(host) as c_host 
 
OR
| timechart avg("value1") span=10s useother=false BY host WHERE max in top5
| untable _time host average | stats dc(host) as c_host
 

 

Anyway, I want to use mstats function and get a count for the host. 
0 Karma
Reply

Shakira1
Explorer
‎10-04-2023 02:15 AM

Ok, now i see and get the data. 

 

thanks!

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2023 12:41 AM

It is not clear what you have actually tried and what is "not working". Please provide your full search, anonymised as necessary, and show how it is not working.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top